216.73.217.22

North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack

· Published 01/04/2026 15:28 · Modified 01/04/2026 19:29

Export JSON

Essential information

Published
01/04/2026 15:28
Modified
01/04/2026 19:29
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
axios javascript npm
Tags
2026-04-01 axios javascript npm
Related entities
8 indicators, 8 observables, 1 intrusion sets (apt), 5 techniques (mitre), 1 others

Description

Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager () package "." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "plain-crypto-js" into releases versions 1.14.1 and 0.30.4. is the most popular library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Indicators (8)

Observables (8)

  • sfrclak.com
  • ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
  • e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
  • 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
  • 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
  • 58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668
  • f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
  • fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf

Intrusion sets (APT) (1)

  • UNC1069
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 09/02/2026 21:42 · Modified 09/02/2026 21:42

Techniques (MITRE) (5)

Others (1)

  • sfrclak.com

External references